package org.apache.oozie.service;

import java.io.IOException;
import java.net.InetAddress;
import java.security.AccessControlException;
import java.text.MessageFormat;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.configuration.FileOptionsProvider;
import org.apache.oozie.ErrorCode;
import org.apache.oozie.util.ParamChecker;
import org.apache.oozie.util.XLog;

/* loaded from: input_file:WEB-INF/lib/oozie-core-5.1.0.805-mapr-636.jar:org/apache/oozie/service/ProxyUserService.class */
public class ProxyUserService implements Service {
    private static XLog LOG = XLog.getLog(ProxyUserService.class);
    public static final String CONF_PREFIX = "oozie.service.ProxyUserService.proxyuser.";
    public static final String GROUPS = ".groups";
    public static final String HOSTS = ".hosts";
    private Services services;
    private Map<String, Set<String>> proxyUserHosts = new HashMap();
    private Map<String, Set<String>> proxyUserGroups = new HashMap();

    @Override // org.apache.oozie.service.Service
    public Class<? extends Service> getInterface() {
        return ProxyUserService.class;
    }

    @Override // org.apache.oozie.service.Service
    public void init(Services services) throws ServiceException {
        this.services = services;
        Iterator<Map.Entry<String, String>> it = services.getConf().iterator();
        while (it.hasNext()) {
            Map.Entry<String, String> next = it.next();
            String key = next.getKey();
            if (key.startsWith(CONF_PREFIX) && key.endsWith(GROUPS)) {
                String substring = key.substring(0, key.lastIndexOf(GROUPS));
                if (services.getConf().get(substring + HOSTS) == null) {
                    throw new ServiceException(ErrorCode.E0551, substring + HOSTS);
                }
                String substring2 = substring.substring(CONF_PREFIX.length());
                String trim = next.getValue().trim();
                LOG.info("Loading proxyuser settings [{0}]=[{1}]", key, trim);
                this.proxyUserGroups.put(substring2, trim.equals("*") ? null : new HashSet(Arrays.asList(trim.split(","))));
            }
            if (key.startsWith(CONF_PREFIX) && key.endsWith(HOSTS)) {
                String substring3 = key.substring(0, key.lastIndexOf(HOSTS));
                if (services.getConf().get(substring3 + GROUPS) == null) {
                    throw new ServiceException(ErrorCode.E0551, substring3 + GROUPS);
                }
                String substring4 = substring3.substring(CONF_PREFIX.length());
                String trim2 = next.getValue().trim();
                LOG.info("Loading proxyuser settings [{0}]=[{1}]", key, trim2);
                HashSet hashSet = null;
                if (!trim2.equals("*")) {
                    String[] split = trim2.split(",");
                    for (int i = 0; i < split.length; i++) {
                        String str = split[i];
                        try {
                            split[i] = normalizeHostname(str);
                            LOG.info("  Hostname, original [{0}], normalized [{1}]", str, split[i]);
                        } catch (Exception e) {
                            throw new ServiceException(ErrorCode.E0550, str, e.getMessage(), e);
                        }
                    }
                    hashSet = new HashSet(Arrays.asList(split));
                }
                this.proxyUserHosts.put(substring4, hashSet);
            }
        }
    }

    public void validate(String str, String str2, String str3) throws IOException, AccessControlException {
        ParamChecker.notEmpty(str, "proxyUser", "If you're attempting to use user-impersonation via a proxy user, please make sure that oozie.service.ProxyUserService.proxyuser.#USER#.hosts and oozie.service.ProxyUserService.proxyuser.#USER#.groups are configured correctly");
        ParamChecker.notEmpty(str2, FileOptionsProvider.PROXY_HOST, "If you're attempting to use user-impersonation via a proxy user, please make sure that oozie.service.ProxyUserService.proxyuser." + str + ".hosts and oozie.service.ProxyUserService.proxyuser." + str + ".groups are configured correctly");
        ParamChecker.notEmpty(str3, "doAsUser");
        LOG.debug("Authorization check proxyuser [{0}] host [{1}] doAs [{2}]", str, str2, str3);
        if (!this.proxyUserHosts.containsKey(str)) {
            throw new AccessControlException(MessageFormat.format("User [{0}] not defined as proxyuser", str));
        }
        validateRequestorHost(str, normalizeHostname(str2), this.proxyUserHosts.get(str));
        validateGroup(str, str3, this.proxyUserGroups.get(str));
    }

    private void validateRequestorHost(String str, String str2, Set<String> set) throws IOException, AccessControlException {
        if (set != null && !set.contains(str2) && !set.contains(normalizeHostname(str2))) {
            throw new AccessControlException(MessageFormat.format("Unauthorized host [{0}] for proxyuser [{1}]", str2, str));
        }
    }

    private void validateGroup(String str, String str2, Set<String> set) throws IOException, AccessControlException {
        if (set != null) {
            List<String> groups = ((GroupsService) this.services.get(GroupsService.class)).getGroups(str2);
            Iterator<String> it = set.iterator();
            while (it.hasNext()) {
                if (groups.contains(it.next())) {
                    return;
                }
            }
            throw new AccessControlException(MessageFormat.format("Unauthorized proxyuser [{0}] for user [{1}], not in proxyuser groups", str, str2));
        }
    }

    private String normalizeHostname(String str) {
        try {
            return InetAddress.getByName(str).getCanonicalHostName();
        } catch (IOException e) {
            throw new AccessControlException(MessageFormat.format("Could not resolve host [{0}], {1}", str, e.getMessage()));
        }
    }

    @Override // org.apache.oozie.service.Service
    public void destroy() {
    }
}
